101480a9d6c96a96091c42b7c558ab9c0adc09d4f9730d5216e7f3ef365d364a

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/01/2024, 07:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f407c4818e8e0bc52daf302de01c5ff.exe
Size

548KB
MD5

7f407c4818e8e0bc52daf302de01c5ff
SHA1

4be5722df2f3e9a6f37cc2d222d0d1323fb32300
SHA256

101480a9d6c96a96091c42b7c558ab9c0adc09d4f9730d5216e7f3ef365d364a
SHA512

796c631daa63980c2a7b7fdaf8bba7d8fc64566b1c0080706e9f9457ce41a266242974ab1818f9db1fb096632f526c196ea34a57f5bea0f92f5bed42d71e52d0
SSDEEP

12288:+HaAVh1BKEreW4zR5Q9EYm3joco4zs+swiWkUSkxQ9:+v10EC7MV2EcoJKSW

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2236	ecfcabfbddcac.exe

Loads dropped DLL 10 IoCs

pid	Process
2428	7f407c4818e8e0bc52daf302de01c5ff.exe
2428	7f407c4818e8e0bc52daf302de01c5ff.exe
2428	7f407c4818e8e0bc52daf302de01c5ff.exe
2924	WerFault.exe
2924	WerFault.exe
2924	WerFault.exe
2924	WerFault.exe
2924	WerFault.exe
2924	WerFault.exe
2924	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2924	2236	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2828	wmic.exe
Token: SeSecurityPrivilege	2828	wmic.exe
Token: SeTakeOwnershipPrivilege	2828	wmic.exe
Token: SeLoadDriverPrivilege	2828	wmic.exe
Token: SeSystemProfilePrivilege	2828	wmic.exe
Token: SeSystemtimePrivilege	2828	wmic.exe
Token: SeProfSingleProcessPrivilege	2828	wmic.exe
Token: SeIncBasePriorityPrivilege	2828	wmic.exe
Token: SeCreatePagefilePrivilege	2828	wmic.exe
Token: SeBackupPrivilege	2828	wmic.exe
Token: SeRestorePrivilege	2828	wmic.exe
Token: SeShutdownPrivilege	2828	wmic.exe
Token: SeDebugPrivilege	2828	wmic.exe
Token: SeSystemEnvironmentPrivilege	2828	wmic.exe
Token: SeRemoteShutdownPrivilege	2828	wmic.exe
Token: SeUndockPrivilege	2828	wmic.exe
Token: SeManageVolumePrivilege	2828	wmic.exe
Token: 33	2828	wmic.exe
Token: 34	2828	wmic.exe
Token: 35	2828	wmic.exe
Token: SeIncreaseQuotaPrivilege	2828	wmic.exe
Token: SeSecurityPrivilege	2828	wmic.exe
Token: SeTakeOwnershipPrivilege	2828	wmic.exe
Token: SeLoadDriverPrivilege	2828	wmic.exe
Token: SeSystemProfilePrivilege	2828	wmic.exe
Token: SeSystemtimePrivilege	2828	wmic.exe
Token: SeProfSingleProcessPrivilege	2828	wmic.exe
Token: SeIncBasePriorityPrivilege	2828	wmic.exe
Token: SeCreatePagefilePrivilege	2828	wmic.exe
Token: SeBackupPrivilege	2828	wmic.exe
Token: SeRestorePrivilege	2828	wmic.exe
Token: SeShutdownPrivilege	2828	wmic.exe
Token: SeDebugPrivilege	2828	wmic.exe
Token: SeSystemEnvironmentPrivilege	2828	wmic.exe
Token: SeRemoteShutdownPrivilege	2828	wmic.exe
Token: SeUndockPrivilege	2828	wmic.exe
Token: SeManageVolumePrivilege	2828	wmic.exe
Token: 33	2828	wmic.exe
Token: 34	2828	wmic.exe
Token: 35	2828	wmic.exe
Token: SeIncreaseQuotaPrivilege	2668	wmic.exe
Token: SeSecurityPrivilege	2668	wmic.exe
Token: SeTakeOwnershipPrivilege	2668	wmic.exe
Token: SeLoadDriverPrivilege	2668	wmic.exe
Token: SeSystemProfilePrivilege	2668	wmic.exe
Token: SeSystemtimePrivilege	2668	wmic.exe
Token: SeProfSingleProcessPrivilege	2668	wmic.exe
Token: SeIncBasePriorityPrivilege	2668	wmic.exe
Token: SeCreatePagefilePrivilege	2668	wmic.exe
Token: SeBackupPrivilege	2668	wmic.exe
Token: SeRestorePrivilege	2668	wmic.exe
Token: SeShutdownPrivilege	2668	wmic.exe
Token: SeDebugPrivilege	2668	wmic.exe
Token: SeSystemEnvironmentPrivilege	2668	wmic.exe
Token: SeRemoteShutdownPrivilege	2668	wmic.exe
Token: SeUndockPrivilege	2668	wmic.exe
Token: SeManageVolumePrivilege	2668	wmic.exe
Token: 33	2668	wmic.exe
Token: 34	2668	wmic.exe
Token: 35	2668	wmic.exe
Token: SeIncreaseQuotaPrivilege	2616	wmic.exe
Token: SeSecurityPrivilege	2616	wmic.exe
Token: SeTakeOwnershipPrivilege	2616	wmic.exe
Token: SeLoadDriverPrivilege	2616	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 2236	2428	7f407c4818e8e0bc52daf302de01c5ff.exe	28
PID 2428 wrote to memory of 2236	2428	7f407c4818e8e0bc52daf302de01c5ff.exe	28
PID 2428 wrote to memory of 2236	2428	7f407c4818e8e0bc52daf302de01c5ff.exe	28
PID 2428 wrote to memory of 2236	2428	7f407c4818e8e0bc52daf302de01c5ff.exe	28
PID 2236 wrote to memory of 2828	2236	ecfcabfbddcac.exe	29
PID 2236 wrote to memory of 2828	2236	ecfcabfbddcac.exe	29
PID 2236 wrote to memory of 2828	2236	ecfcabfbddcac.exe	29
PID 2236 wrote to memory of 2828	2236	ecfcabfbddcac.exe	29
PID 2236 wrote to memory of 2668	2236	ecfcabfbddcac.exe	32
PID 2236 wrote to memory of 2668	2236	ecfcabfbddcac.exe	32
PID 2236 wrote to memory of 2668	2236	ecfcabfbddcac.exe	32
PID 2236 wrote to memory of 2668	2236	ecfcabfbddcac.exe	32
PID 2236 wrote to memory of 2616	2236	ecfcabfbddcac.exe	34
PID 2236 wrote to memory of 2616	2236	ecfcabfbddcac.exe	34
PID 2236 wrote to memory of 2616	2236	ecfcabfbddcac.exe	34
PID 2236 wrote to memory of 2616	2236	ecfcabfbddcac.exe	34
PID 2236 wrote to memory of 2600	2236	ecfcabfbddcac.exe	36
PID 2236 wrote to memory of 2600	2236	ecfcabfbddcac.exe	36
PID 2236 wrote to memory of 2600	2236	ecfcabfbddcac.exe	36
PID 2236 wrote to memory of 2600	2236	ecfcabfbddcac.exe	36
PID 2236 wrote to memory of 2140	2236	ecfcabfbddcac.exe	38
PID 2236 wrote to memory of 2140	2236	ecfcabfbddcac.exe	38
PID 2236 wrote to memory of 2140	2236	ecfcabfbddcac.exe	38
PID 2236 wrote to memory of 2140	2236	ecfcabfbddcac.exe	38
PID 2236 wrote to memory of 2924	2236	ecfcabfbddcac.exe	40
PID 2236 wrote to memory of 2924	2236	ecfcabfbddcac.exe	40
PID 2236 wrote to memory of 2924	2236	ecfcabfbddcac.exe	40
PID 2236 wrote to memory of 2924	2236	ecfcabfbddcac.exe	40

C:\Users\Admin\AppData\Local\Temp\7f407c4818e8e0bc52daf302de01c5ff.exe
"C:\Users\Admin\AppData\Local\Temp\7f407c4818e8e0bc52daf302de01c5ff.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Users\Admin\AppData\Local\Temp\ecfcabfbddcac.exe
  C:\Users\Admin\AppData\Local\Temp\ecfcabfbddcac.exe 1)1)9)8)8)3)9)4)3)8)1 Lk9APDUuLi0xMB8uUkw6SEY7OS0YLk1ES09HT0JFQTUwHy47QUtRQEA6KjIvNicYJ0BAQDooHy5PSUc8UjpQXEFDPDEpKi4tFytQPVFVRElXTU9DOWVsc285Jidrb20qQT1SSixLR0gqOExNJkhNRUYYJ0BDRUBDSEM8Fyc8LjQpLhguQzE0JSkdJkAwNSwwHyY8LDokLR0nQzQ8JCkYLEdOTDxUQlNWSEpGTT1AUTwfLkdKR0FMP1FXRFRLODUYLEdOTDxUQlNWRjlKPDlNSk5DVDpMV0s4SUIYLkRXPFdNT0M5HSdEV0RWO0VBQ0VLPTwfLj9HS1FWPk9HVlJESTUqHSZQRTlNSlhGTVdSSUg6GC5VTDQqGCw7Ty41Hy5RTEZMRkRBXE9ES0JGRT1GRD1EPVRRSzQYJ0ZKW09NTVNIRD01cWlxYhguUURLTUpLQEpEV1RSRElXPD5QTzoqHy5HQDw9VTQtHSdIUl47UUY+REVAV0RNQklRSFE8QDpeYGtyXBgnQUZTS0ROQENWQUg6KDItJjA2NSUpLzAlLS4uHy5TQEU9OigwMCgvLzAtKi4dJkBMT01LTjg8V1FASUI1My4xLCcqLSgxJykvOTMnMiozIUxKGC5UQDRFZ3dgaGlZJDFlLCYoKB9TZmZjbnZqI0ZRIjIrKygqQGdoZGJOYV9DaHMkKV4tMC4qMC4qJ0o/TEVJHC5gI2toalwjP2JaZ2whKkJnaWdlYhwuYywzLS8lKis0LSotI1JgZVhqYSIpYjIrNi0yLRgnUklIOmBzc28cK1kiKWIiKmVmZGsmKC4pMGMmaG1lZh0qY0lxa0xobGQ7Z29rY2teXExgbVhfXW9WYGJoa254HCpeLisvLSgvMDUpLB0vXS0xKy8vLyguKjEcLmMpMzIvJygpMykwIitlNTAnKSgtJy41KzBYVkkoRlFMIS9eYkNyZ0Y8PmxKdlJpT1NAckRmL3BHT1g3TGE9cUthPWhSaW52QD9GMllTQ2xgVkVkUGV1XUxDOlFTL0lOSVJvX1FMc0xRSk5vYGQ1ZlpWQXlYPzpxUUAuSVRqLy9NY0dGVGgtQFNUTGVSRD1sVz9nZmFOSTFTKWh1UFJnQ04rRmVCaEdkWDEwbFFmQ3FHZ0VzTVNAbUR3OC5JTHN3WE4+TFdOUkBCakF0SXEpdlBERmVgVkVlWXJ0akZVaG5iQydx
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81706513519.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2828
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81706513519.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2668
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81706513519.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2616
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81706513519.txt bios get version
    3⤵
    PID:2600
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81706513519.txt bios get version
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81706513519.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
\Users\Admin\AppData\Local\Temp\ecfcabfbddcac.exe

Filesize
764KB

MD5
d54df4557c02f12776d9b15bb47cdf89

SHA1
616c2037ab634bd15c297c9af8d8a81023404264

SHA256
f2579dbb28e689f7f76a8c4dac35cf8cda487f82799b05ba30e9bd6cc3883482

SHA512
57a13d3624c487489a4d55e907ef52408755f9ba62ee2157f00782074ee8c1db29898fa51f1a2367696f6e4f3e84c3176765f94632e30ba6af890a46de1a15b2

Download Submit
\Users\Admin\AppData\Local\Temp\ecfcabfbddcac.exe

Filesize
581KB

MD5
126c3837d690b2ba09fb832682c1ea54

SHA1
1b104061c1cbe63b5c70a413410f16303246c6b1

SHA256
cd50b5bc89feac78445ad21d36b633d42c8e6c71376be284635428e045509953

SHA512
45393235bcdb922effb63d36b3178b0150734f944a234f8d30a811c7304ae2be662e1af873990191032bdffde0e62a8ced31c85f315966e6377c1db656dc9afa

Download Submit
\Users\Admin\AppData\Local\Temp\nso3E59.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit
\Users\Admin\AppData\Local\Temp\nso3E59.tmp\nwryavwr.dll

Filesize
107KB

MD5
1353d790f14330380d8e54671b6e8e39

SHA1
ab6b6f3c3ab85f6a40a4fa6cf90c289e79ab5223

SHA256
e21b8a739f8a48e1b36e8fa5fd559315d24a4507d3f1dd5885b0a756e26fdcc0

SHA512
35b66d7ff413a9c26032f178da1bad2ebbe46c8dfc54923d52e296712ba4643803b89737e4a22a2493ee7156294e16b0104cdea818ad8b4e16f64b2dc7f1758c

Download Submit